In the first of an ongoing series of articles exclusive to Security Matters, Richard Jenkins explains how a ‘blended’ audit strategy involving both on-site and remote elements best serves the future interests of security buyers now facing up to significant additional COVID-related operational challenges
ENABLING EMPLOYEES’ return to the workplace during the COVID-19 pandemic continues to be a significant challenge for employers rightly concerned with safeguarding their members of staff and implementing a variety of additional measures to make premises COVID-secure.
Simultaneously, the global risk consultancy Sibylline has recently warned organisations to mitigate a variety of growing risks such as cyber attacks, terrorism and organised crime.
It’s abundantly clear that the impacts of COVID-19 demand an emphasis on appropriate security measures to effectively deter, detect and enable appropriate the response to any incident, protecting an organisation’s staff, assets, sites, business reputation and capacity to continue trading while not ignoring security risks.
Selecting security solution providers with suitable credentials is key. Independent third party certification supports this by dint of playing proxy for the discerning buyer. It serves to give confidence in the capability and integrity of providers, with the reassurance this entails of quality services supplied by companies which meet relevant standards and operational Codes of Practice.
In practice, benchmark certification is attained through a rigorous audit of the provider. You may be wondering, though, how the rigour of the certification process has been duly maintained since the COVID-19 pandemic lockdown process began back in late March.
Certification auditors have no longer been able to freely make audit visits in person. Instead, as an alternative, attention has turned to the use of remote audits transacted thanks to communication technologies. Importantly for the general public and those businesses reliant on this certification proxy, remote auditing must absolutely be robust in ensuring services meet the standards required. How does the remote scenario stack up against the tried and tested audit delivered in person?
The COVID-19 lockdown has seen collaboration technologies being put to the test in far wider use across society and no less so in the auditing community.
Interest in remote auditing has exploded dramatically over the last six months.
As the headlines would have it, COVID-19 means that, in the world of auditing, the time for remote audit has come. Where audit programmes require a focus on review and a reliance on documentation, the now widely familiar technologies of Skype, Microsoft Teams and Zoom, etc go a long way towards making this possible. That said, there are solid reasons why remote auditing may be neither practically nor operationally desirable.
With much of the security industry’s work and services conducted on-site or in the field, on-site audits continue to be essential in gathering evidence of compliance underpinned by technical product (and service) standards. On-site audit remains the mainstay of any product (or service) certification.
Accordingly, the National Security Inspectorate (NSI) has adopted a blended audit strategy – a carefully considered combination of remote and on-site audit capability fit for the future in a post-pandemic world and one that’s ‘in sync’ with current Government mandated COVID-19 guidelines.
As part of this, remote audits are routinely conducted at the NSI’s discretion for assessing ‘Management System’ requirements where process and control has a greater emphasis on documentation, while on-site verification and evidence gathering of service delivery ensures the audit jigsaw is complete.
Importantly, COVID-19 has not slowed the development of standards work, which has continued at pace during lockdown. Throughout, the NSI has continued its involvement in various standards-focused Working Groups. This has included the development of the British Security Industry Association’s recently-launched cyber security Code of Practice for the installation of safety and security systems, as well as revisions of the intruder alarm confirmation standard and the CCTV detector-activated alarm standard.
The NSI is also involved in the development of a new Alarm Receiving Centre alarm handling standard and, in the fire sector, is currently taking expressions of interest for the new BAFE SP207 Scheme for Evacuation Alert Systems.
These initiatives are all in addition to the NSI’s forthcoming Issue 3 Update to its own NCP 109 Code of Practice for Access Control Systems. Buyers choosing companies that comply with this new Code of Practice can be assured that their access control system design will reflect specific user needs, usability and operating requirements.
The NSI’s blended audit strategy, complemented by the Inspectorate’s continued focus on standards, delivers rigour and reassurance for those organisations seeking qualified service providers.
With businesses everywhere facing the unprecedented challenge of coming to terms with the consequences of the COVID-19 pandemic, it’s vital they can continue to place their trust in certification when sourcing security providers. The NSI’s blended audit strategy absolutely ensures that they can.
Richard Jenkins is Chief Executive of the National Security Inspectorate (www.nsi.org.uk)